CVE-2011-0010: sudo Group ID Privilege Escalation

This is a neat vulnerability in sudo was reported by Alexander Kurtz to the Debian bug tracking system. The problem was that you could change your GID without being asked for a password. This could result in privilege escalation and the buggy code was available in check.c which you can see here:

Where it did not prompt the user for a password if any of the following was true…
– User ID was 0 (aka root)
– User ID was matching the “Run As” one
– The user is exempt (from sudo’s configuration file)
As you can see there was no check for the group of the user. The new releases of sudo updated the above check with this patch: